-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2009.1516
                    APPLE-SA-2009-11-11-1 Safari 4.0.4
                             12 November 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Safari
Publisher:        Apple
Operating System: Windows
                  Mac OS X
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User Interaction
                  Denial of Service               -- Remote with User Interaction
                  Cross-site Request Forgery      -- Remote with User Interaction
                  Read-only Data Access           -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2009-3384 CVE-2009-2842 CVE-2009-2841
                  CVE-2009-2816 CVE-2009-2804 CVE-2009-2416
                  CVE-2009-2414  

Reference:        ESB-2009.1500
                  ESB-2009.1281
                  ESB-2009.1165

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2009-11-11-1 Safari 4.0.4

Safari 4.0.4 is now available and addresses the following:

ColorSync
CVE-ID:  CVE-2009-2804
Available for:  Windows 7, Vista, XP
Impact:  Viewing a maliciously crafted image with an embedded color
profile may lead to an unexpected application termination or
arbitrary code execution
Description:  An integer overflow exists in the handling of images
with an embedded color profile, which may lead to a heap buffer
overflow. Opening a maliciously crafted image with an embedded color
profile may lead to an unexpected application termination or
arbitrary code execution. The isssue is addressed by performing
additional validation of color profiles. This issue does not affect
Mac OS X v10.6 systems. The issue has already been addressed in
Security Update 2009-005 for Mac OS X 10.5.8 systems. Credit: Apple.

libxml
CVE-ID:  CVE-2009-2414, CVE-2009-2416
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Windows 7, Vista, XP
Impact:  Parsing maliciously crafted XML content may lead to an
unexpected application termination
Description:  Multiple use-after-free issues exist in libxml2, the
most serious of which may lead to an unxexpected application
termination. This update addresses the issues through improved memory
handling. The issues have already been addressed in Mac OS X 10.6.2,
and in Security Update 2009-006 for Mac OS X 10.5.8 systems.

Safari
CVE-ID:  CVE-2009-2842
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 and v10.6.2, Mac OS X Server v10.6.1 and v10.6.2,
Windows 7, Vista, XP
Impact:  Using shortcut menu options within a maliciously crafted
website may lead to the disclosure of local information
Description:  An issue exists in Safari's handling of navigations
initiated via the "Open Image in New Tab", "Open Image in New
Window", or "Open Link in New Tab" shortcut menu options. Using these
options within a maliciously crafted website could load a local HTML
file, leading to the disclosure of sensitive information. The issue
is addressed by disabling the listed shortcut menu options when the
target of a link is a local file.

WebKit
CVE-ID:  CVE-2009-2816
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 and v10.6.2, Mac OS X Server v10.6.1 and v10.6.2,
Windows 7, Vista, XP
Impact:  Visiting a maliciously crafted website may result in
unexpected actions on other websites
Description:  An issue exists in WebKit's implementation of Cross-
Origin Resource Sharing. Before allowing a page from one origin to
access a resource in another origin, WebKit sends a preflight request
to the latter server for access to the resource. WebKit includes
custom HTTP headers specified by the requesting page in the preflight
request. This can facilitate cross-site request forgery. This issue
is addressed by removing custom HTTP headers from preflight requests.
Credit: Apple.

WebKit
CVE-ID:  CVE-2009-3384
Available for:  Windows 7, Vista, XP
Impact:  Accessing a maliciously crafted FTP server could result in
an unexpected application termination, information disclosure, or
arbitrary code execution
Description:  Multiple vulnerabilities exist in WebKit's handling of
FTP directory listings. Accessing a maliciously crafted FTP server
may lead to information disclosure, unexpected application
termination, or execution of arbitrary code. This update addresses
the issues through improved parsing of FTP directory listings. These
issues do not affect Safari on Mac OS X systems. Credit to Michal
Zalewski of Google Inc. for reporting these issues.

WebKit
CVE-ID:  CVE-2009-2841
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.1 and v10.6.2, Mac OS X Server v10.6.1 and v10.6.2
Impact:  Mail may load remote audio and video content when remote
image loading is disabled
Description:  When WebKit encounters an HTML 5 Media Element pointing
to an external resource, it does not issue a resource load callback
to determine if the resource should be loaded. This may result in
undesired requests to remote servers. As an example, the sender of an
HTML-formatted email message could use this to determine that the
message was read. This issue is addressed by generating resource load
callbacks when WebKit encounters an HTML 5 Media Element. This issue
does not affect Safari on Windows systems.


Safari 4.0.4 is available via the Apple Software Update application,
or Apple's Safari download site at:
http://www.apple.com/safari/download/

Safari for Mac OS X v10.6.1 and v10.6.2
The download file is named: Safari4.0.4SnowLeopard.dmg
Its SHA-1 digest is: 445df542b183fa65fd9df1f7ff4c6af306e6c0b9

Safari for Mac OS X v10.5.7
The download file is named: Safari4.0.4Leopard.dmg
Its SHA-1 digest is: 0aeb54208cdebcafb3206baf11d8649836273f33

Safari for Mac OS X v10.4.11
The download file is named: Safari4.0.4Tiger.dmg
Its SHA-1 digest is: 4ddfd70420e27bab98864a45f291f688d86f5963

Safari for Windows 7, Vista or XP
The download file is named: SafariSetup.exe
Its SHA-1 digest is: 236cfb9556dd369d95c5b45ddce740b15f2cb267

Safari+QuickTime for Windows 7, Vista or XP
The file is named: SafariQuickTimeSetup.exe
Its SHA-1 digest is: d95d61f2f804576b5d31fc8f47ac310438bc44dc

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iQEcBAEBAgAGBQJK+eX5AAoJEHkodeiKZIkBd68H/0OkE5bsiHteloXSPhwN9mlO
GeL57Y8QGe/MsywQjLwDhcvA1fS6yusmX8gpDLjF8wW9s32O8A9amMazqBfVoyIZ
gHARtEsun47iDz9IgmKmqPWFMbf1u48xSmizepbr/qnRc0hO07Txh2zzTucGR1A0
JYRifQgsvn/6tq5zryJ/WUnUsb6gPDkJu1WBswdWJ2QXBQb3bCEidBy+xDKYUEsI
6FFtcY3kOxp5aaByFprpVQt1i+UJUZAQxHCNWgDNA7LEUcRV6PoKBN25ddpAIXA5
Keo1YMRII32vkOnFM+XSsGdaWhFyxnVghL8WAgSY4gSLXmtVCu/OTFCG3WVCHdg=
=DoEE
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFK+z0QNVH5XJJInbgRAuElAJ9FjCeCR2kStjPF6c7em0Kf+Wi45ACeO1Ow
bmumRdfogvqfJ5zsJcMODx0=
=PIPI
-----END PGP SIGNATURE-----